Jump to content

[Resolved] Something I can't explain


David40

Recommended Posts

While trying to post a spam email to Spamcop I will go through the pasted email line by line and edit out the "ad" that my AVG Antivirus tags onto every email I send or receive (www.avg.com). Once in a while, after going through an email I'll discover I can't find any link to AVG, but when I process the email I see the AVG URL has been found in the email with the usual "ISP does not wish to receive...blag, blah, blah."

So the question is, how is it the AVG URL is being found by SPAMCOP when I can't find the AVG URL in the email? Is it possible it's somehow hidden from view? I can't explain it.

Thanks

Link to comment
Share on other sites

Hi, David40,

...If you would be willing to provide a "Tracking URL" of a SpamCop parse of such a spam, we may be better able to answer your question. Some possibilities that occur to me:

  • The spam is constructed in a way that prevents your e-mail client from displaying the URL to you.
  • The URL is actually in a header rather than the spam body.
  • The messages from the SpamCop parser that mention AVG are doing so not due to an AVG URL but a reference to a host for which AVG is the abuse address. This is almost certainly not the answer in your case based on what you have posted ("I see the AVG URL has been found in the email").

Link to comment
Share on other sites

Even though AVG does not get reported it makes me wonder what else might be being hidden. I'm curious about the "how" as well. I'll post the Tracking URL next time I get one of those, which is not often.

Thanks

Link to comment
Share on other sites

  • 2 weeks later...

Hi, David40,

...If you would be willing to provide a "Tracking URL" of a SpamCop parse of such a spam, we may be better able to answer your question.

Just got one. I search through this email and I cannot find any reference URL or address refering to AVG, but SpamCop finds it in there somewhere.

http://www.spamcop.net/sc?id=z5922358693z8...003a64a7a49d13z

Link to comment
Share on other sites

Yes, the links are in the Base64 stuff (as text), including innocent bystander AVG. Evidently parser "de-obfuscating" works just fine on that.

incidentally, I use ToastedSpam for decoding - and there are many others. Had to remove linewrapping in the code by the way - O/P's mail client or something else in the receipt-copy-paste chain is not ideal for forensics but no big thing.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...